Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

California Attorney General Puts Mobile App Developers on Notice

California Attorney General Kamala D. Harris today announced a crackdown on mobile application developers and companies that haven’t posted privacy policies, at least where users can easily find them.

California Attorney General Kamala D. Harris today announced a crackdown on mobile application developers and companies that haven’t posted privacy policies, at least where users can easily find them.

The attorney general is giving recipients 30 days “to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information,” according to a prepared statement.

A sample letter defines the issue at hand. “An operator of a mobile application (“app”) that uses the Internet to collect PII is an “online service” within the meaning of CalOPPA. An app’s commercial operator must therefore conspicuously post its privacy policy in a means that is reasonably accessible to the consumer. Having a Web site with the applicable privacy policy conspicuously posted may be adequate, but only if a link to that Web site is ‘reasonably accessible’ to the user within the app.”

The AG’s office didn’t specify companies but said “the letters will be sent out to up to 100 non-compliant apps at this time, starting with those who have the most popular apps available on mobile platforms.”

The news service Bloomberg reports that United and Delta airlines and the online reservations site OpenTable are among the targeted companies receiving notices they are in violation of the state’s privacy protocol for mobile applications released in February.

California is at the vanguard of states requiring privacy policies for mobile applications, acknowledging the growing shift in consumer use of mobile devices such as smartphones and tablets.

Apple, Amazon, Google, Facebook, Microsoft, Research in Motion and HP earlier agreed to let users review app privacy policies before they are downloaded and to post data collection guidelines in a consistent place in accordance with California’s Online Privacy Protection Act.

“The letters are the first step in taking legal action to enforce the California Online Privacy Protection Act, which requires commercial operators of online services, including mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy,” according to the statement.

“Privacy policies are an important safeguard for consumers. Privacy policies promote transparency in how companies collect, use, and share personal information. Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.”

Discussion

Dear California AG. My company doesnt wish to do business in your state any longer. If any of your citizens download my app I will bill the state of california $5,000 per occurance. Thank you for your business.

Hey, California. IANAL, but if a company isn't in your state, this is called "Interstate Commerce." There's some document you might vaguely remember hearing about. It's called the Constitution. Interstate Commerce was one of the big driving forces that drove it. IOW, you have no jurisdiction. So, good luck with that.

Now this sounds like it is not just a good idea, but a great idea. From the comments posted I gotta believe these folk are up to no good and should go find some ditches to dig. Better yet go help the poor people on the east coast. They really do need the hot air.

The 1st three posts aren't saying anything about whether or not forcing these companies to post their privacy policy is a good idea. It IS a good idea. It's just that a specific state can't do it. It has to be done at the federal level. And, I'm not sure if even that would allow enforcement against non-US companies.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.